IPSECKEY RRs?
Hi Does anyone have experience with a IPSECKEY RR? Especially how to make one? Why do I need one, you ask? Well, it's my best guest. I have to create a site2site vpn tunnel between a Westermo GPRS-Modem and a Checkpoint Firewall, and the Modem does not accept the certificate. Instead it logs: no RSA public key known for '62.99.190.155'; DNS search for KEY failed (failure querying DNS for KEY of 155.190.99.62.in-addr.arpa.: Host name lookup failure) I found an example of such an RR on the interwebs, it looks like this: 38.2.0.192.in-addr.arpa. 7200 IN IPSECKEY ( 10 1 2 192.0.2.38 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== ) My BIND 9.8.2 accepts this record, but of course I need the correct one, not the example. So, does anyone know how to convert the public key of my certificate into a signature like this? Here some additional information: Logentries of the Mestermo MRD-310: 84Dec 18 16:51:25 pluto[16214]: VPN_ASA_TM0 #1: Main mode peer ID is ID_IPV4_ADDR: '62.99.190.155' 84Dec 18 16:51:25 pluto[16214]: VPN_ASA_TM0 #1: issuer cacert not found 84Dec 18 16:51:25 pluto[16214]: VPN_ASA_TM0 #1: X.509 certificate rejected 84Dec 18 16:51:25 pluto[16214]: VPN_ASA_TM0 #1: issuer cacert not found 84Dec 18 16:51:25 pluto[16214]: VPN_ASA_TM0 #1: X.509 certificate rejected 84Dec 18 16:51:26 pluto[16214]: VPN_ASA_TM0 #1: no RSA public key known for '62.99.190.155'; DNS search for KEY failed (failure querying DNS for KEY of 155.190.99.62.in-addr.arpa.: Host name lookup failure) 84Dec 18 16:51:26 pluto[16214]: VPN_ASA_TM0 #1: sending encrypted notification INVALID_KEY_INFORMATION to 62.99.190.155:500 IPSECKEY rfc: https://tools.ietf.org/html/rfc4025 Thanks! --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at WienIT EDV Dienstleistungsgesellschaft mbH Co KG, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824 Persönlich haftender Gesellschafter: WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 10 - 1.0.0 Beta Release
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
BIND 10 - 1.0.0 Beta Release
Welcome to the first beta toward the first production BIND 10 1.0.0
release. BIND 10 provides a C++ library for DNS (with python
wrappers) and several cooperating daemons for providing authoritative
DNS service (with in-memory and SQLite3 backends and DNSSEC support),
dynamic DNS, zone transfers, forwarding, and experimental
recursive name service. It also provides DHCPv4 and DHCPv6 servers
and a C++ library for DHCP. Supplementary components are included
for statistics collection and reporting and remote configuration
and control.
The DNS highlights since the second alpha release include:
- - New C++ (with Python wrapper) DNS master zone file parser.
- - Rewritten command-line zone loader tool (for loading into SQLite3
database).
The DHCP highlights include:
- - Implements definitions for most of the DHCPv4 and DHCPv6 standard
options. (Option definitions are used to validate contents of
options received by a server and to create instances of options
being sent to a client.)
- - Added support for expired leases in b10-dhcp6.
Note that the new b10-loadzone has different command-line syntax
and the TSIG configuration for b10-xfrin has changed. Also, the
default configuration location changed from ${PREFIX}/var/bind10-devel/
to ${PREFIX}/var/bind10/ and default shared files changed from
${PREFIX}/share/bind10-devel/ to ${PREFIX}/share/bind10/; if
upgrading from a previous version, you may need to move and update
your configurations.
We are looking for testers to provide feedback about using this
beta release. For more information about BIND 10, the release
schedule, and the community testing plans, please see:
http://bind10.isc.org/wiki/ProductionRelease
Documentation is included and also available via the BIND 10 website
at http://bind10.isc.org/
The bind10-1.0.0-beta source may be downloaded from:
ftp://ftp.isc.org/isc/bind10/1.0.0-beta/bind10-1.0.0-beta.tar.gz
A PGP signature of the distribution is at
ftp://ftp.isc.org/isc/bind10/1.0.0-beta/bind10-1.0.0-beta.tar.gz.sha512.asc
The signature was generated with the ISC public key, which is
available at https://www.isc.org/about/openpgp
Users and developers are encouraged to participate on the BIND 10
mailing lists. Please provide your feedback:
https://lists.isc.org/mailman/listinfo/bind10-users
https://lists.isc.org/mailman/listinfo/bind10-dev
Bugs may be reported as tickets via the developers website (after
logging into Trac):
http://bind10.isc.org/
A summary of the significant changes since the previous release
include (from the ChangeLog):
533.[build]*jreed
Changed the package name in configure.ac from bind10-devel
to bind10. This means the default sub-directories for
etc, include, libexec, share, share/doc, and var are changed.
If upgrading from a previous version, you may need to move
and update your configurations or change references for the
old locations.
(git bf53fbd4e92ae835280d49fbfdeeebd33e0ce3f2)
532.[func] marcin
Implemented configuration of DHCPv4 option values using
the configuration manager. In order to set values for the
data fields carried by a particular option, the user
specifies a string of hexadecimal digits that is converted
to binary data and stored in the option buffer. A more
user-friendly way of specifying option content is planned.
(Trac #2544, git fed1aab5a0f813c41637807f8c0c5f8830d71942)
531.[func] tomek
b10-dhcp6: Added support for expired leases. Leases for IPv6
addresses that are past their valid lifetime may be recycled, i.e.
rellocated to other clients if needed.
(Trac #2327, git 62a23854f619349d319d02c3a385d9bc55442d5e)
530.[func]* team
b10-loadzone was fully overhauled. It now uses C++-based zone
parser and loader library, performing stricter checks, having
more complete support for master file formats, producing more
helpful logs, is more extendable for various types of data
sources, and yet much faster than the old version. In
functionality the new version should be generally backwards
compatible to the old version, but there are some
incompatibilities: name fields of RDATA (in NS, SOA, etc) must
be absolute for now; due to the stricter checks some input that was
(incorrectly) accepted by the old version may now be rejected;
command line options and arguments are not compatible.
(Trac #2380, git 689b015753a9e219bc90af0a0b818ada26cc5968)
529.[func]* team
The in-memory data source now uses a more complete master
file parser to load textual zone files. As of this change
it supports multi-line RR representation and more complete
Local Lookups Fail When the Net is down.
We are using BIND 9.7.7 with recursion. Our boarder router temporarily failed completely isolating our campus from the rest of the internet. During that time, it was impossible to do local lookups. We were showing 997 out of 1000 recursive clients which is no surprise but the loss of local resolution effected our telephone system which is migrating over to VOIP + any other lookups a client might do that at least in theory should still work because they are making queries for hosts in our master zones. I have been here for a bit over 20 years and we have lost all connectivity only a very few times, but I had actually begun to think that newer versions of bind would still provide local resolution. The systems running the master and slave DNS's continued to run as they have plenty of resources, but there was no local resolution. Is there anything short of internal and external-facing DNS's that we can do to be sure that local resolution stays up? Thank you very much. Martin McCormick Stillwater, OK Systems Engineer OSU Information Technology Department Telecommunications Services Group ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Local Lookups Fail When the Net is down.
In message 201212202013.qbkkdksi002...@x.it.okstate.edu, Martin McCormick writes: We are using BIND 9.7.7 with recursion. Our boarder router temporarily failed completely isolating our campus from the rest of the internet. During that time, it was impossible to do local lookups. We were showing 997 out of 1000 recursive clients which is no surprise but the loss of local resolution effected our telephone system which is migrating over to VOIP + any other lookups a client might do that at least in theory should still work because they are making queries for hosts in our master zones. I have been here for a bit over 20 years and we have lost all connectivity only a very few times, but I had actually begun to think that newer versions of bind would still provide local resolution. The systems running the master and slave DNS's continued to run as they have plenty of resources, but there was no local resolution. Is there anything short of internal and external-facing DNS's that we can do to be sure that local resolution stays up? You need to look at search lists and make sure there are no external dependancies. If you have partially qualified names being used you may be depending apon a NXDOMAIN from the root. A local copy of the root zone will help here. If you do recursion internally you will need to increase the number of recursive clients. If you are validating you will want to distribute trust anchors for internal namespace. If you are using DLV you will want a internal copy of the dlv zone. Thank you very much. Martin McCormick Stillwater, OK Systems Engineer OSU Information Technology Department Telecommunications Services Group ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPSECKEY RRs?
Corrected encoding of large exponent and read from stdin.
use MIME::Base64;
print exponent: ;
$exponent = ;
print mantisa: ;
$mantisa = ;
# strip white space
$exponent =~ s/\s//g;
$mantisa =~ s/\s//g;
#convert to binary
$exponent = pack(H*, $exponent);
$mantisa = pack(H*, $mantisa);
$data = '';
if (length($exponent) 256) {
$data .= pack(C, length($exponent));
} elsif (length($exponent) 0x) {
$data .= pack(CCn, 0, 2, length($exponent));
} elsif (length($exponent) 0xff) {
$data .= pack(CCn, 0, 3, length($exponent));
} else {
$data .= pack(CCn, 0, 4, length($exponent));
}
$data .= $exponent;
$data .= $mantisa;
print encode_base64($data).\n;
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
